Tobias Gerlach
de en
AI
| Tobias Gerlach

Under the Hood: How OpenAI's Codex Really 'Thinks'

AI Coding OpenAI Deep Dive Agents

👋

I hope you’re having a relaxed Saturday. Today, I want to take you on a small journey into the engine room of current AI development. OpenAI published a fascinating article yesterday (January 23, 2026): “Unrolling the Codex agent loop”.

When I started web development in 2001, “automation” was just a shell script that hopefully didn’t paralyze the server. Today, we’re talking about AI agents that plan, execute, and correct. But how does this actually work technically? And – even more importantly – is it safe?

Let’s unpack it (“unroll” it) in a way that we can all understand.

What is an “Agent Loop” anyway?

In the past, AI often worked on the principle of: Input -> Output. You enter a sentence, the AI completes it. Done.

The new approach of Codex (the technology behind many coding assistants), however, is a loop. Think of it like a dialogue between a developer and their super-smart intern:

  1. The Plan: The AI receives a task (e.g., “Add an architecture diagram to the README”).
  2. The Reasoning: It converts this into text and decides: “Okay, first I need to see what’s actually in the README.”
  3. The Action (Tool Call): Instead of just responding with text, the AI calls a tool – e.g., a shell command (cat README.md).
  4. The Result: The output of the command is fed back to the AI.
  5. The Iteration: With this new knowledge, the AI plans the next step until it’s finished.

OpenAI calls this process the Agent Loop. The AI doesn’t just “think” once; it interacts continuously with your development environment.

The “Unrolling”: Memory Grows

The technically exciting (and challenging) part is how the AI maintains context. With every step in this loop, the so-called “prompt” – the text the AI receives as input – grows.

  • Start: User request.
  • Round 1: User request + AI thought + AI command + command result.
  • Round 2: Everything from Round 1 + new thoughts + new command…

This is called “Unrolling”. You unroll the entire history of actions so the AI knows what it has already done and whether it was successful.

Performance vs. Costs

As you can imagine: As this text gets longer, the AI needs more computing power (“context window”). OpenAI uses clever Prompt Caching here. Since the beginning of the conversation remains the same, the AI doesn’t have to “re-read” everything every time, but only process the newly added part. This makes it faster and more efficient.

Privacy: A Ray of Hope? 🛡️

One point that particularly pleased me as a privacy advocate is how data is handled. OpenAI explicitly mentions support for Zero Data Retention (ZDR).

This means the entire process is designed to be “stateless”. There doesn’t need to be a server memory of your previous requests that is permanently stored somewhere. Instead, the relevant context is sent fresh (and encrypted) each time.

IMO: This is an extremely important step. Especially when we give AIs deep access to our code and our shell, we must be sure that this data doesn’t end up permanently on some servers to potentially train other models.

Security and the “Sandbox”

Codex doesn’t just execute commands wildly. There is a so-called Sandbox (a protected area) and strict “Permissions Instructions”. The AI must know: “Am I allowed to do this?”

Before a shell command is executed, the system checks permissions. This is essential. Imagine if the agent suddenly decided to run rm -rf / because it wanted to “make space.” 😱

My Opinion (IMO)

I find the technical implementation impressive. The way “Reasoning” (logical conclusion) is linked with real tools (shell, file system) is a true productivity booster for us developers.

But: I also remain critical of the hype.

  1. Autonomy: The more autonomous these loops become, the harder it gets to understand why a decision was made. We must ensure that the human always remains the final authority (“Human in the Loop”).
  2. Dependency: If we rely too much on the agent finding the error in the loop itself, we might forget how to find the error ourselves.
  3. Security: Even if a sandbox exists – software is never bug-free. An agent with shell access is a potential risk if the model “hallucinates” or is manipulated (Prompt Injection).

Nevertheless: For the democratization of technology, this is great. It lowers the barrier for beginners to understand and operate complex systems. As long as we maintain control and safeguard data sovereignty, this is a tool that’s fun to use.

Stay curious, but critical!

Source: Unrolling the Codex agent loop | OpenAI

AI Translated Content

This article was translated from German using Artificial Intelligence. While we strive for accuracy, some nuances may be lost. Read original

Note: This post reflects my personal opinion and does not constitute legal advice.
Did you find a mistake or do you have questions/comments on this topic? I look forward to your message!

Tobias Gerlach

Tobias Gerlach

Battle-proof Web Developer since 2001. Seen every wave – and still here. Passionate about clean code, minimalist design, state-of-the-art technologies, and digital privacy.

Mail LinkedIn GitHub BlueSky
← Zurück zur Übersicht